Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.10 Administration Guide
    7.2.10
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Configuring VIPs

    Configuring VIPs

    Virtual IPs can be configured for IPv4 and IPv6. After creating the VIP, add it to a firewall policy.

    FortiOS does not check whether VIPs overlap. As a result, you can configure multiple VIPs with the same external interface and IP. However, you can view overlapping VIPs in the security rating report. See Viewing VIP overlap in security rating reports.

    To configure a VIP in the GUI:

    1. Go to Policy & Objects > Virtual IPs and select Virtual IPs.

    2. Click Create New.

    3. Configure the following settings:

      Type

      Select IPv4 or IPv6.

      Name

      Enter a name for the VIP.

      Comments

      Enter a description of the VIP.

      Color

      Click Change to select a color for the VIP.

      Network

      Interface (extintf)

      The external interface that the firewall policy source interface must match.

      For example, if the external interface is port1, then the VIP can be used in a policy from port1 to port3, but not in a policy from port2 to port3.

      If the external interface is any, then the VIP can be used in any firewall policy.

      Type (type)

      • Static NAT - Use an external IP address or address range.

      • FQDN - Use an external IP or FQDN address.

      • load-balance (CLI only) - Load balance traffic.

      • server-load-balance - Load balance traffic across multiple servers. SSL processing can be offloaded to the FortiGate. This type of VIP is configure from Policy & Objects > Virtual Servers.

      • dns-translation (CLI only) - DNS translation.

      • access-proxy - Used for ZTNA. See ZTNA HTTPS access proxy example for details.

      External IP address/range (extip)

      In a static NAT VIP, the external IP address is the IP address that the FortiGate listens for traffic on.

      When the external interface is not any, 0.0.0.0 can be used to make the external IP address equivalent to the external interface's IP address.

      The external IP address is also used to perform SNAT for the mapped server when the server outbound traffic with a destination interface that matches the external interface. The firewall policy must also have NAT enabled.

      Map to

      IPv6 address/range (ipv6-mappedip)

      The IPv6 address or range that the internal resource is being mapped to.

      IPv4 address/range (mappedip)

      The IPv4 address or range that the internal resource is being mapped to.

      Optional Filters

      Enable to access additional options.

      Source address (src-filter)

      Restrict the source IP address, address range, or subnet that is allowed to access the VIP.

      Services (service)

      Set the services that are allowed to be mapped.

      Port Forwarding (portforward)

      Enable port forwarding and display additional options.
      Protocol (protocol)

      Select the protocol to use when forwarding packets to the port.

      Port Mapping Type

      • One to one - Each external service port is mapped to one port. A range is allowed, but the number of ports should be the same.

      • Many to Many - The port mapping can be one to one, one to many, or many to one. There are no restrictions on how many external ports must map to internal ports.

      External service port (extport)

      Enter the external service port range to be mapped to a port range on the destination network.

      Map to IPv6 port (ipv6-mappedport)

      Enter the mapped IPv6 port range on the destination network.

      Map to IPv4 port (mappedport)

      Enter the mapped IPv4 port range on the destination network.
    4. Click OK to save the VIP.

    Viewing VIP overlap in security rating reports

    There is no overlap check for VIPs, so there are no constraints when configuring multiple VIPs with the same external interface and IP. A new security rating report alerts users of any VIP overlaps.

    To configure two VIPs with the same external interface and IP:
    config firewall vip
    edit "test-vip44-1"
        set extip 10.1.100.154
        set mappedip "172.16.200.156"
        set extintf "port24"
    next
    edit "test-vip44-1_clone"
        set extip 10.1.100.154
        set mappedip "172.16.200.156"
        set extintf "port24"
        set src-filter 10.1.100.11
    next
end
    Note

    No error message appears regarding the overlapping VIPs.
    To view the security rating report:

    1. Go to Security Fabric > Security Rating and click the Optimization scorecard.

    2. Expand the Failed section. The Virtual IP Overlap results show an overlap (test-vip44-1 and test-vip44-1_clone) on the root FortiGate.

    Previous
    Next

    Configuring VIPs

    Configuring VIPs

    Virtual IPs can be configured for IPv4 and IPv6. After creating the VIP, add it to a firewall policy.

    FortiOS does not check whether VIPs overlap. As a result, you can configure multiple VIPs with the same external interface and IP. However, you can view overlapping VIPs in the security rating report. See Viewing VIP overlap in security rating reports.

    To configure a VIP in the GUI:

    1. Go to Policy & Objects > Virtual IPs and select Virtual IPs.

    2. Click Create New.

    3. Configure the following settings:

      Type

      Select IPv4 or IPv6.

      Name

      Enter a name for the VIP.

      Comments

      Enter a description of the VIP.

      Color

      Click Change to select a color for the VIP.

      Network

      Interface (extintf)

      The external interface that the firewall policy source interface must match.

      For example, if the external interface is port1, then the VIP can be used in a policy from port1 to port3, but not in a policy from port2 to port3.

      If the external interface is any, then the VIP can be used in any firewall policy.

      Type (type)

      • Static NAT - Use an external IP address or address range.

      • FQDN - Use an external IP or FQDN address.

      • load-balance (CLI only) - Load balance traffic.

      • server-load-balance - Load balance traffic across multiple servers. SSL processing can be offloaded to the FortiGate. This type of VIP is configure from Policy & Objects > Virtual Servers.

      • dns-translation (CLI only) - DNS translation.

      • access-proxy - Used for ZTNA. See ZTNA HTTPS access proxy example for details.

      External IP address/range (extip)

      In a static NAT VIP, the external IP address is the IP address that the FortiGate listens for traffic on.

      When the external interface is not any, 0.0.0.0 can be used to make the external IP address equivalent to the external interface's IP address.

      The external IP address is also used to perform SNAT for the mapped server when the server outbound traffic with a destination interface that matches the external interface. The firewall policy must also have NAT enabled.

      Map to

      IPv6 address/range (ipv6-mappedip)

      The IPv6 address or range that the internal resource is being mapped to.

      IPv4 address/range (mappedip)

      The IPv4 address or range that the internal resource is being mapped to.

      Optional Filters

      Enable to access additional options.

      Source address (src-filter)

      Restrict the source IP address, address range, or subnet that is allowed to access the VIP.

      Services (service)

      Set the services that are allowed to be mapped.

      Port Forwarding (portforward)

      Enable port forwarding and display additional options.
      Protocol (protocol)

      Select the protocol to use when forwarding packets to the port.

      Port Mapping Type

      • One to one - Each external service port is mapped to one port. A range is allowed, but the number of ports should be the same.

      • Many to Many - The port mapping can be one to one, one to many, or many to one. There are no restrictions on how many external ports must map to internal ports.

      External service port (extport)

      Enter the external service port range to be mapped to a port range on the destination network.

      Map to IPv6 port (ipv6-mappedport)

      Enter the mapped IPv6 port range on the destination network.

      Map to IPv4 port (mappedport)

      Enter the mapped IPv4 port range on the destination network.
    4. Click OK to save the VIP.

    Viewing VIP overlap in security rating reports

    There is no overlap check for VIPs, so there are no constraints when configuring multiple VIPs with the same external interface and IP. A new security rating report alerts users of any VIP overlaps.

    To configure two VIPs with the same external interface and IP:
    config firewall vip
    edit "test-vip44-1"
        set extip 10.1.100.154
        set mappedip "172.16.200.156"
        set extintf "port24"
    next
    edit "test-vip44-1_clone"
        set extip 10.1.100.154
        set mappedip "172.16.200.156"
        set extintf "port24"
        set src-filter 10.1.100.11
    next
end
    Note

    No error message appears regarding the overlapping VIPs.
    To view the security rating report:

    1. Go to Security Fabric > Security Rating and click the Optimization scorecard.

    2. Expand the Failed section. The Virtual IP Overlap results show an overlap (test-vip44-1 and test-vip44-1_clone) on the root FortiGate.

    Previous
    Next